Issue with VLAN Handling on APs Using wifiqcom-ac Driver Managed by New CAPsMAN

Hello all,

I have a question regarding the compatibility and proper functionality of access points using the wifiqcom-ac driver when managed through the new CAPsMAN.

I have been using MikroTik devices for a long time, not only for Wi-Fi, and I started working with CAPsMAN many years ago. Typically, I configure several virtual Wi-Fi interfaces via VLANs defined in CAPsMAN. Unfortunately, for some unexplained reason, the wifiqcom-ac driver does not accept VLAN settings from CAPsMAN, and VLANs need to be configured manually. While this is manageable, the real issue I am facing is much more disruptive:

Whenever there is any change—such as provisioning a new AP through CAPsMAN or a restart that triggers reprovisioning—the AP changes the names of its virtual Wi-Fi interfaces. As a result, the untagged VLAN settings for these Wi-Fi interfaces are lost. This has been causing major problems for me over the past four days.

Even following your official documentation, this behavior occurs, and all settings are lost. Creating a script to automatically reapply VLAN settings is extremely difficult because the AP does not provide sufficient information about the Wi-Fi interfaces—only comments are available, and parsing text for scripting is not straightforward.

Has anyone encountered this issue and found a simple solution? Or, if someone from MikroTik R&D is reading this, could you please consider implementing a systematic fix? It seems surprising that such a basic feature, which many routers handle easily, cannot be achieved here.

MikroTik has already given me quite a few headaches with wireless setups, but this issue is particularly frustrating.

Thank you for your time, and I appreciate any advice, workarounds, or—ideally—a permanent solution.

Martin

Just to tell you that you're not alone in this. The bad news: it's highly unlikely that MT will do anything about it as devices, running wifi-qcom-ac, are effectively obsolete (many models only have 16MB of flash which is way too little for ROSv with wifi-qcom-ac). AFAIK feature list of wifi-qcom-ac is exactly the same as was feature list of wifiwave2 (which was the unified package of what was split to core, wifi-qcom and wifi-qcom-ac in ROS v7.13). There were some advancements for wifi-qcom, but none for wifi-qcom-ac.

And no, I don't think tehre's a way around it. Even if using action=create-enabled in provisioning rules, newly provisioned interfaces will still appear as completely distinct from previous instances (but will survive reboots).
Since those manual actions (setting PVID to wifi port as member of bridge) have to be done on each CAP, one might "trigger" on MAC address. Unless CAPsMAN configuration overrides it, MAC Address will be the same every time for "master" interfaces (same as radio-mac). For virtual (slave) interfaces that might be different, but AFAIK MAC addresses of "slave" interfaces are based on MAC addresses of "master" interfaces with simple conversion from GUA to ULA.

Thank mkx for answerback,

I understand that these are older devices, but I am responsible for several elementary schools where we have around 20 of these APs. Replacing all of them is financially challenging. When I add or replace a damaged unit, I install a new AX model, and I assumed that this is exactly why the wifiqcom-ac package exists.

I fully understand that VLAN acceptance from CAPsMAN might not be integrated, but what I don’t understand is why any change on the manager side causes the virtual interface numbers to change. This behavior is consistent across the entire portfolio—even the new AX models do the same. And if I want to mix older and newer devices, I still have to manually configure VLANs on the AX units outside of CAPsMAN. So the problem remains the same.

I am working on a robust script to handle this, but it is far from simple to make it work correctly across all APs. Honestly, this feels like a major design flaw from MikroTik—at least from my perspective.

20 APs?

wAP AX would be the cheapest at $90 US MSRP.

While I don’t know what you get paid… whats it cost when it doesn’t work?

You are looking at less than $2000. Have a bake sale or something.

As i lost a ton of money on the old AC stuff… I was really resistant to test the AX stuff. And after months of messing with it… its working pretty well. But I sure as hell didn’t do the last 4 restaurants with Mikrotik wifi. The cheapest AP I have $388 retail. If I went to the manufacture and said “its for a school” or something like that… they may bring my cost down to $150 a piece. Which would add more than a 1/3 to the cost of the job. But I wouldn’t think twice about asking for that money to fix the job and MOVE ON!

I’m not sure where you’re from, but here unfortunately elementary schools don’t have money to spare. Yes, there are older AC devices, and yes, sometimes they cause issues. In one school, due to its size, I have 21 APs. That’s why, whenever funds allow, I replace them with cAP ax units. I assumed that moving to the new driver—even for older AC models—would stabilize the entire network and make my job easier.

I’m not sure what APs you use, but for schools, arround $400 for a single access point is simply too much, and nobody will cover that cost. So far, I haven’t found any company willing to provide these devices (routers, switches, APs) at a discounted price in case of the schools. In business environments, it’s different—there are options. Yes, I’ve spent countless hours fine-tuning the setup, and the new Wi-Fi drivers and AX APs are “fairly” stable. But I honestly don’t understand why MikroTik struggles so much with standard indoor Wi-Fi.

I’m close to finishing a script that I believe is robust enough to solve my issues and hopefully stabilize the overall Wi-Fi situation. Still, I would really appreciate an official opinion from MikroTik R&D on this matter: Is this considered a minor issue for you, something you don’t have resources for, or simply something you’ve decided not to address?

Washington DC. United States of America.

Now… you typed… as units break… you replace them with cap AX. A wAP AX is cheaper than a cAP AX. I was trying to save you some money.

Unless you live in absolute poverty. Like you don’t know if you can eat at night… I talk to you like you are a professional. And PROFESSIONALS GET PAID to perform a task.

Now… I also mentioned… MIKROTIK WIFI5 WAS GARBAGE! If you can’t accept that… you can’t accept reality. I have abused them on their own form about it for years. SO MUCH SO… they admit to it and have posts where they told people that their gear was NOT GOING TO DO THE JOB. That MIKROTIK CUSTOMERS should look at other vendors for the wifi.

Moving on… The changes between caps-man 1 and the current are pretty severe. The way that AC driver interacts with current caps-man is just a mess. It has been for like a year. Your current gear has been in place for how long? Time to “break” a few more pieces.

As a “hired gun” without a pay check… I only get paid if it works. I have very little patience for things that don’t actually work.

I have been using a separate WiFI vendor for years with Mikrotik routers. “Its called RouterOS for a reason.”

Hi,

I just wanted to add some context: I do this work free of charge—only the hardware is purchased. Unfortunately, in some institutions here in the Czech Republic, funding is a real challenge.

The fact that Wi-Fi 5 from MikroTik performs poorly in larger installations with many clients is something I discovered only later, after investments had already been made. Through various settings and workarounds, I managed to stabilize the network, and it’s now reasonably fine. That’s why I was excited about wifiqcom-ac—I hoped it would take things to the next level and finally bring peace of mind.

Regarding hardware purchases, I’ve been using AX models because they can be mounted in the same spots and are suitable for ceiling installations with omnidirectional coverage. For wAP units, it’s a bit different, but they could probably work too—I’m just following the “round AP” approach for now.

I trusted MikroTik and honestly didn’t expect the problem to be on their side. I always assumed the issues were local—client drivers, environment, etc. I’d really like to know what AP solution you use because I have another institution coming up where I need to completely replace a very outdated Wi-Fi setup. I’m not sure whether to stick with MikroTik APs for this, though the switches and router are already purchased.

I was sucked in by caps-man and the cheap APs. Seeing connection stats for second to second was just too tempting to pass up.

Throw in that I was able to make my own version of D-PSK using ACLs. I was hooked!

Then after a lot of testing in MILDLY noisy environments… my superior jumped in. Once we started putting units in NOISY environments… all hell broke loose. Radios would stop accepting clients. But still show them connected and even the signal to and from them. Some APs would flat out shut off.

I worked with Mikrotik on it for months with very slow very useless input from Mikrotik for a while. Then I started beating on them here. Suddenly I got more than an email a week. Once I proved beyond any reasonable doubt the problem was THEIR DRIVER… I received an email stating that “They had reproduced the problem. And IF or WHEN they had a solution they would let me know.”

Several years later, the chipset drivers were released. YEARS!!! 5+ YEARS!

Spent a lot of my own money replacing things. Gave people things at DEAD cost just to try to salvage the relationship. These are not MSP clients where you keep them because they pay every month… no no… these were companies that were supposed to be BREAK FIX only. And before Mikrotik wireless… they would go months and years with out a single call. The only calls we got were referrals.

I ran screaming back to Ruckus Wireless. While they cost more…. THEY WORK.

Cambium reached out to me and had nothing of interest. A few years later I was having regular issues with Ruckus that the new owners… didn’t seem to care about fixing. No longer could I write up a “Here is what happened.” “Here is how it affects things.” “Here is how you reproduce it.” “Here is what I have tried to mitigate it.” Those write ups went unanswered. A firmware with an obvious glitch would be patched but reintroduce an old bug. So now I had to vette new firmware from the ground up. Rather than check if the bugs were fixed. One bug persisted in every firmware for 18 months.

The cambium rep heard me blasting the Ruckus rep and sent me some gear. Found 3 glaring bugs that were clearly related. But the small one that most people didn’t notice… ACTUAL WAS THE ISSUE. The other 2 issues hinged on that one. I sent all the stuff I used to send to Ruckus. Cambium called me and had me reproduce it for them. THEN THEY FIXED IT! This issue had been in all their gear for almost 2 years before I ever dealt with them. They fixed it and any time I trip over something… I have one Tech I am supposed to message. The ticketing system alerts another CSR who usually doesn’t read all I sent. But once I email Gary… he is in it. Dude sat in front of a monitor for 6 hours on a Saturday night while I demonstrate an issue. Then got me a firmware patch by Sunday’s shift.

I have not bought a part from Ruckus since. I still work on hundreds of them… but they are not on any bid sheet I put together.

Right now Cambium has a pricing problem. And one of the guys I worked with for years on the marketing side… took a job at Ruckus. So since I have their current gear… “Figured out” I am currently running 2 wAP AX at home and keeping track of the issues. (Which there are a lot fewer of.) But I know that if I put them on a bid sheet… everyone is gonna throw the wAP and cAP AC issues back in my face.

Cambium and Ruckus are more than 10 times more expensive, and that’s a real problem in environments where every dollar matters. On the other hand, I’ve read quite a lot about them, and in some cases, I can definitely see their value—especially where stability is more important than cost.

That said, I’ve ordered a Ubiquiti U6 Pro to test its stability. It’s about 2–3 times the price of MikroTik, but that’s still manageable… we’ll see how it performs.

I’ve also made significant progress with the wifiqcom-ac package. The official MikroTik guide is a bit misleading—the issue with constantly changing WiFi interface numbers can be solved very easily: on the AP configuration, you need to check Slave static. After provisioning, new interfaces appear; just add them to the bridge and assign the correct VLAN when adding them. Then, don’t bother with the VLANs tab—just tag the Ethernet ports that should carry the VLAN. Enable filtering, and dynamic assignment takes care of the rest. It’s a pity the documentation doesn’t seem to keep up with firmware changes, which clearly evolved.

My testing so far shows a big improvement in WiFi behavior—10 devices on one AP worked flawlessly. During the Christmas holidays, I’ll deploy this setup in a school for real-world testing under full load. So far, it looks like a stable configuration.

And you’re absolutely right—I had to spend a lot of time on this, which is definitely not economical. But I also see it as personal growth: all the things I had to learn, and even building up my mental endurance.

Thanks so much for your post—it really broadened my horizons! I’ll never reach your level of expertise, but at least I’m getting better at not pulling my hair out. ….

Merry Christmas and all the best for the New Year!

It is. I asked support a while ago to clarify their capsman wifi-qcom-ac vlan sample, it has misleading config, but basically I was fobbed off. But support agreed that documentation could need improvement. Okay.

Correct. This is also seen in their sample config. Did you also need to remove datapath completely? In my capsman experiments, when you provision datapath (I don't mean vlan-id, I mean e.g. simple datapath "bridge=bridge" which assigns the interfaces to a bridge) the interfaces are dynamic bridge ports which can't be modified. I had to manually unset "datapath" on cap interfaces so I could assign the ports manually to bridge.

Are you sure?

Yes, i am sure

ROS version 7.20.6

In case of slaves wifi and VLAN the most has to be defined on CaP.

No Datapath on CAP:

/interface/wifi/cap> print
                    enabled: yes                           
       discovery-interfaces: Bridge_AP_AC                  
              slaves-static: yes

/interface/bridge> print
Flags: D - dynamic; X - disabled, R - running 
 0  R name="Bridge_AP_AC" mtu=auto actual-mtu=1500 l2mtu=1560 arp=enabled arp-timeout=auto mac-address=CC:2D:E0:EA:66:32 
      protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all ingress-filtering=yes 
      dhcp-snooping=no port-cost-mode=long mvrp=no max-learned-entries=auto 

Added ports to bridge:

/interface/bridge/port> print
Columns: INTERFACE, BRIDGE, HW, HORIZON, TRUSTED, FAST-LEAVE, BPDU-GUARD, EDGE, POINT-TO-POINT, PVID, FRAME-TYPES
# INTERFACE  BRIDGE        HW   HORIZON  TRUSTED  FAST-LEAVE  BPDU-GUARD  EDGE  POINT-TO-POINT  PVID  FRAME-TYPES
0 ether1     Bridge_AP_AC  yes  none     no       no          no          auto  auto               1  admit-all  
1 ether2     Bridge_AP_AC  yes  none     no       no          no          auto  auto               1  admit-all  
2 wifi1      Bridge_AP_AC       none     no       no          no          auto  auto               1  admit-all  
3 wifi2      Bridge_AP_AC       none     no       no          no          auto  auto               1  admit-all  
4 wifi3      Bridge_AP_AC       none     no       no          no          auto  auto              10  admit-all  
5 wifi5      Bridge_AP_AC       none     no       no          no          auto  auto              10  admit-all  
6 wifi4      Bridge_AP_AC       none     no       no          no          auto  auto              20  admit-all  
7 wifi6      Bridge_AP_AC       none     no       no          no          auto  auto              20  admit-all

How it looks VLAN on my ac CAP:

/interface/bridge/vlan> print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
#   BRIDGE        VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0   Bridge_AP_AC        10  ether2                          
                            ether1                          
1   Bridge_AP_AC        20  ether2                          
                            ether1                          
;;; added by pvid
2 D Bridge_AP_AC         1                  Bridge_AP_AC    
                                            ether1          
                                            ether2          
                                            wifi1           
                                            wifi2           
;;; added by pvid
3 D Bridge_AP_AC        10                  wifi3           
                                            wifi5           
;;; added by pvid
4 D Bridge_AP_AC        20                  wifi4           
                                            wifi6

Dynamic VLAN are from bridge and ofcourse vlan-filtering is on ….

Here I am not sure if admit-all is correct, it is still under my investigations….

This setting works during any test I have done…. I mean … restart main router, new provisioning on router, restart of CaP, unexpected power failure, simply everything that can happen … I hope

I'll see how it performs in real-world conditions, but I've done a lot of testing.

I think it comes from this:

What's new in 7.16 (2024-Sep-20 16:00):
*) bridge - added dynamic tagged entry when VLAN interface is created on vlan-filtering bridge;

I pointed out early… The best price I can get for cap AX is $112.

If I buy enough of them… I can get a 2x2 AX indoor ceiling mounted antenna for $130.

I have seen Cambium XV2-2s sold online at reputable distributors for $100 each, during sales.

Ruckus R550s… I regularly see them on Amazon and the like for $350-$500.

That ain’t 10 times. And as I always say… “it doesn’t matter what it costs, when it doesn’t work!”

These cambiums retail for €400+ incl. vat. A cap ax is about €105+ currently.

Problem is, that I am not able to get material what you mentioned for the price what you mentioned ….

This is reason why I ordered ubiquity and testing his stability.

See picture:

image3497×1248 190 KB

Ruckus is in Czech more expensive then Cambium.

Every official distributor here are on the same price. Picture above is from Amazon.

Mikrotik WiFi working, not on 100% but working … My price for AX is under 100$. AX seems to be working well. AC with the new driver and settings also seems to be working without any major problems. In our country, institutions really save money wherever they can, and I understand that it's difficult to understand. Maybe if I started billing them the full amount of my work, they would start thinking differently, but it would probably end up with them finding someone else to manage it for them, and somehow it would work... but you have to experience it to understand it...

That is good. In our country, people talk a lot about being economical. However, when it comes to purchases, favoritism still prevails. Unnecessarily expensive support contracts and/or devices are preferred, mainly because tenders are written in a way that favors them. In the end, the products do not work any better - but at least they are labeled "enterprise".

How about the XV2-21x?

That’s the preferred AP for the guys that used to use cap XLs.

The XV2-21x is about 3% cheaper than the XV2-2x... It seems that Europe is an uninteresting market for Cambium, or perhaps I am not understanding something.

$586 vs $388 retail here in the US.